CVE-2026-58143
Deferred Deferred - Pending Action

Cross-Site Request Forgery in Cotonti Siena

Vulnerability report for CVE-2026-58143, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows unauthenticated attackers to modify administrator configuration by tricking a logged-in administrator into submitting a forged POST request to the admin.php config update handler, which never invokes the application's CSRF validation function. Attackers can disable the PFS module's file extension whitelist by setting pfsfilecheck to 0, enabling any user with PFS access to upload and execute arbitrary PHP files on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cotonti siena to 0.9.26 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Cotonti Siena 0.9.26 and earlier versions. It is a cross-site request forgery (CSRF) issue that allows unauthenticated attackers to modify administrator configurations. The attack works by tricking a logged-in administrator into submitting a forged POST request to the admin.php configuration update handler, which does not invoke the application's CSRF validation function.

Specifically, attackers can disable the PFS module's file extension whitelist by setting the parameter 'pfsfilecheck' to 0. This enables any user with PFS access to upload and execute arbitrary PHP files on the server.

Compliance Impact

This vulnerability allows unauthenticated attackers to modify administrator configurations and upload arbitrary PHP files by exploiting a cross-site request forgery flaw. Such unauthorized access and control over administrative functions can lead to data breaches, unauthorized data modification, and potential exposure of sensitive information.

Consequently, this can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring data integrity, and preventing unauthorized access. The vulnerability undermines these requirements by enabling attackers to bypass security controls and potentially compromise protected data.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers to bypass security controls and execute arbitrary PHP code on the server. By disabling the file extension whitelist in the PFS module, attackers can upload malicious PHP files, potentially leading to full server compromise.

Since the attack requires tricking an authenticated administrator into submitting a forged request, it can lead to unauthorized configuration changes without the administrator's knowledge.

Detection Guidance

This vulnerability involves an attacker tricking a logged-in administrator into submitting a forged POST request to the admin.php config update handler that disables the PFS module's file extension whitelist by setting the parameter "pfsfilecheck" to 0.

To detect this vulnerability on your system, you can monitor HTTP POST requests to the admin.php endpoint, specifically looking for requests that include the parameter "pfsfilecheck" set to 0.

Example commands to detect suspicious activity might include:

  • Using tcpdump or tshark to capture POST requests to admin.php and filter for "pfsfilecheck=0" in the payload.
  • Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /admin.php'
  • Using web server logs to search for POST requests to admin.php with the parameter "pfsfilecheck=0".
  • Example grep command: grep 'POST /admin.php' /var/log/apache2/access.log | grep 'pfsfilecheck=0'
Mitigation Strategies

Immediate mitigation steps include restricting access to the admin.php configuration update handler to trusted administrators only and ensuring that administrators are aware not to click on suspicious links or submit unexpected POST requests while logged in.

Additionally, you should consider implementing or enforcing CSRF protection mechanisms in the application, such as validating CSRF tokens on all state-changing requests.

If possible, disable or restrict the PFS module access until a patch or update is available to prevent arbitrary PHP file uploads.

Monitoring and alerting on changes to the "pfsfilecheck" parameter in configuration updates can also help detect exploitation attempts early.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58143. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart